[Infowarrior] - Meet the network operators helping to fuel the spike in big DDoS attacks

[Richard Forno]

Meet the network operators helping to fuel the spike in big DDoS attacks

SoftLayer, GoDaddy, AT&T, and iWeb make a list of top 10 most abused networks.

by Dan Goodin - Oct 31 2012, 3:43pm EDT

http://arstechnica.com/security/2012/10/meet-the-network-operators-helping-fuel-the-spike-in-big-ddos-attacks/

A company that helps secure websites has compiled a list of some of the Internet's biggest network nuisances—operators that run open servers that can be abused to significantly aggravate the crippling effects of distributed denial-of-service attacks on innocent bystanders.

As Ars recently reported, DDoS attacks have grown increasingly powerful in recent years, thanks in large part to relatively new tools and methods. But one technique that is playing a key role in many recent attacks isn't new at all. Known as DNS amplification, it relies on open domain name system servers to multiply the amount of junk data attackers can direct at a targeted website. By sending a modest-sized domain name query to an open DNS server and instructing it to send the result to an unfortunate target, attackers can direct a torrent of data at the victim site that is 50 times bigger than the original request.

Engineers at San Francisco-based CloudFlare have been shielding one customer from the effects of a DDoS attack that has flooded it with 20 gigabits-per-second of data around the clock for three weeks. While attacks of 100Gbps aren't unheard of, that's still a massive attack even large botnets are generally unable to wage.

CloudFlare engineers soon determined the attackers behind the assault were abusing the open DNS resolvers belonging to a variety of large network operators. Many of these are well-known brand names: US-based SoftLayer, GoDaddy, AT&T, iWeb, and Amazon. The sustained attack comes as several distinct botnets appear to have been updated to enumerate huge lists of open resolvers. That means amplification attacks could become more common.

Given the damage they can have on innocent bystanders, such open servers have long been considered a nuisance. It's the Internet equivalent of a dilapidated crack house in the inner city or a rural front yard filled with old washing machines and rusted car parts. As a result, operators have been admonished repeatedly to make DNS resolvers available only to addresses located on their network, rather than to the Internet as a whole.

The CloudFlare engineers compiled a list of the networks hosting the open DNS servers and ranked them by those responsible for the most damage. With 68,459 unique open resolvers participating in the ongoing attack, there was plenty of blame to go around. The list names networks located on every corner of the globe, including those owned by Amazon, Turk Telekomunikasyon Anonim Sirketi, and Nepal Telecommunications Corporation. Still, CloudFlare CEO Matthew Prince found that the top 10 offenders provided 15,611 of those servers—or almost 23 percent of the firepower behind the attack.

The top 10 network operators named by Prince are: PKTELECOM-AS-PK Pakistan Telecom Company Limited; HINET Data Communication Business Group; CRNET CHINA RAILWAY Internet(CRNET); THEPLANET-AS - ThePlanet.com Internet Services, Inc.; CHINANET-BACKBONE No.31, Jin-rong Street; SOFTLAYER - SoftLayer Technologies Inc.; OCN NTT Communications Corporation; AS-26496-GO-DADDY-COM-LLC - GoDaddy.com, LLC; ATT-INTERNET4 - AT&T Services, Inc.; and IWEB-AS - iWeb Technologies Inc.

"Wonder why there's been an increase in big DDoS attacks?" Prince wrote in a blog post published on Tuesday. "It's in large part because the network operators listed above have continued to allow open resolvers to run on their networks and the attackers have begun abusing them."

In a previous blog post documenting CloudFlare's work in blocking DDoS attacks that reached an  astounding 65Gbps in size, Prince said the company regularly reaches out to the worst open DNS offenders. Frequently, the advisories fall on deaf ears.

"One of the great ironies when we deal with these attacks is we'll often get an e-mail from the owner of the network where an open resolver is running asking us to shut down the attack our network is launching against them," he explained. "They're seeing a large number of UDP packets with one of our IPs as the source coming in to their network and assume we're the ones launching it. In fact, it is actually their network which is being used to launch an attack against us."

Ars contacted representatives of all four US-based companies and received replies from all but AT&T. The three responding operators stressed they take the issue of open, "recursive" DNS servers seriously and recognize them as a security issue that can affect the overall health of the Internet. They went on to describe the difficulty of ensuring each DNS server running on their network is secured properly, in large part because improper configurations are often the result of decisions made by paying customers.

"As an unmanaged hosting provider, SoftLayer does not make proactive direct changes to our customers' servers," said Ryan Carter, a manager in the abuse department at SoftLayer. "These customers are able to run their own authoritative name servers on their servers, and they're able to configure them for resolvers. DNS is the hardest simple protocol out there because so many people have no clue what it is or how it works. Instead of learning the best practices of DNS management, they'll take the path of least resistance to just get the functionality online."

A statement attributed to GoDaddy Director of Information Security Operations Scott Gerlach said a "handful of Go Daddy customers are using the dedicated and virtual dedicated server environments to configure DNS on their systems" and disputed the number of open DNS servers cited by CloudFlare.

"Anyone who detects malicious traffic emanating from our network can best serve the interest of the Internet community by contacting us quickly and directly," the statement continued. "This will trigger a specific and swift investigation so we can take appropriate action."

In an e-mail, iWeb co-founder Martin Leclair wrote: "Open resolvers are vulnerable to multiple malicious activities and... the best practice is to prevent open resolvers. So when we detect open resolvers on our network we recommend to our users to follow the best practices. It is not that easy because the DNS products can sometimes default to open resolver when installed, and customers need to tweak the configurations to limit DNS resolution."

Given that many private efforts by CloudFlare haven't worked, the latest name-and-shame approach can't hurt. If you're a manager at one of above-named operators—or at any of the almost 4,000 other operators named in the complete list, you might think about getting a hold of someone at CloudFlare. They'll be happy to help you make the Internet a more secure place by restricting access to your DNS servers.

---
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.